Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

Unknown, Unmanaged,
& Unprotected Privileged
Accounts Violate
Compliance Mandates

To pass your next compliance audit you must
demonstrate effective privilege management


Compliance audits are time consuming and stressful but you can’t avoid them.


Failure to comply can be risky, expensive, and embarrassing.


Privilege management helps you meet requirements and prove compliance.

Every major security framework & regulation demands proper password protection

New compliance standards are emerging and audits are becoming more frequent and intense. Compliance bodies are now mandating a higher level of responsibility for security leaders, executives, and Boards of Directors.

Virtually every organization that handles data must abide by security compliance requirements. If you handle any type of personal, financial, or health information, you must be able to demonstrate compliance or face significant financial penalties and public embarrassment. If you are seeking government contracts you must receive a stamp of approval from security auditors to be successful.

Compliance for compliance sake is not the goal. The real goal is effective security against rising cyber threats. Even if you are not required by law to comply, you can use compliance regulations as a framework for security best practices. Effective privilege management helps you pass compliance audits and reduces your cyber risk.

Connecting for proper password protection
Getting smart about compliance

Before auditors come knocking, get smart about compliance

How can you prepare for a compliance audit? Start with an internal audit to see how you map to regulatory requirements and see where you stand.

As part of the audit, you must identify all the privileged accounts in your organization and explain how controls over privileges work to safeguard protected data. Many organizations have hundreds or thousands of privileged accounts. That list includes service accounts that are not associated with individuals and may easily slip through the cracks. It includes privileged accounts in operating systems and platforms beyond Windows, such as root and other accounts in Unix/Linux.

Why would 70% of organizations fail a cyber security compliance audit?

Many organizations don’t have effective password management practices in place. Even if you wrote up a password policy and rolled out compliance training without correct controls, people will fall back on bad habits. In a compliance review, auditors will find security gaps that include missing passwords, duplicate passwords, or password sharing.

To pass an audit, you must implement and enforce granular limitations on access privileges for systems and data. You must monitor and report on ongoing access for internal users and third parties. Password protection and privileged access policies should be consistent, regardless of platform.

A one-time clean-up before an audit is not the solution. Increasingly, audit bodies are looking for demonstrable proof that cyber security policies can be maintained on an ongoing basis. Auditors are looking for systematic, automated security controls. You may not get a second chance to correct the mistakes.

Team discussing cyber security compliance audit

Try Secret Server

Free for 30 Days

Thycotic’s Secret Server assures the protection of privileged accounts while being the fastest to deploy, easiest to use, and highly scalable solution.

Choose your preferred deployment option and access free enterprise-level support.

See why organizations are leveraging Secret Server to help meet compliance standards. Start your free trial today.

See How Your Security Practices Map to Compliance Requirements

Which compliance regulations do you need to follow? How can you satisfy auditors? Some regulations are highly prescriptive, while others give you broad guidelines but leave the detailed decisions up to you. See how your privilege management practices stack up to the latest compliance requirements. Make sure you know the deadlines so you can be ready when the auditors arrive.

  • EU GDPR Logo


    Any organization dealing with EU citizens’ Personally Identifiable Information is obligated to meet standards for effective data protection, adequate security measures, and privacy by design to comply with EU GDPR.

  • NERC/CIP Logo


    Under the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) plan, energy and utility companies must ensure strict access control in order to protect assets from the threat of a cyber attack.

  • CIS Controls Logo

    CIS Controls

    The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls) is a set of security best practices designed to prevent the most common and significant cyber threats, including password protection.

  • NYCRR Logo


    One of the strictest cyber security regulations at a federal or state level, NYCRR applies to New York insurance companies, banks, and other regulated financial services institutions, including agencies and branches of non-US banks licensed in the state of New York.

  • HIPAA Logo


    Any organization that creates, receives, maintains, or transmits electronic protected health information (ePHI) in the US must meet HIPAA requirements for access control and data sharing.

  • SOX Logo


    Sarbanes-Oxley (SOX) is designed to reduce corporate fraud by requiring an increase in the strength and granularity of security controls for financial auditing and reporting.

  • PCI DSS Logo


    PCI DSS provides organizations that accept, store or transmit credit card data with guidelines for privilege management and a framework to protect cardholder data.

  • UK Cyber Essentials Logo

    UK Cyber Essentials

    Contractors in the UK that handle sensitive or personal information must receive Cyber Essentials Certification to demonstrate understanding and enforcement of privilege management.



    The National Institute of Standards and Technology (NIST) outlines steps federal agencies and government contractors must take to comply with privilege management in FISMA in NIST SP 800-53.

  • UAE NESA Logo


    The National Electronic Security Authority (NESA) in the United Arab Emirates requires government entities and businesses in critical sectors closely control and protect privileged accounts.



    The refreshed New Zealand Cyber Security Strategy comes with an Action Plan and a National Plan to address cybercrime, which is added to the original four key principles. It replaces the New Zealand Cyber Security Strategy from 2011.

join the webinar

Compliance and Privileged Account Management – A Perfect Match


While the relationship between compliance and Privileged Account Management hasn’t always been rosy, bringing them together is not as difficult as you might think. GDPR, SOX, PCI and other regulations now require you to demonstrate proper protection and security around privileged users and account access.

Join Thycotic’s Product Manager, Dan Ritch, as he demonstrates how to match your compliance requirements with automated Privileged Account Management for:

  • Monitoring and managing Privileged Users
  • Protecting against Insider Threats with advanced behavior analytics
  • Streamlined reporting to help satisfy audit reviews

Our Speaker

Steve Goldberg
Senior Product Manager
Privileged Access Management Policy Template Cover

Privileged Access Management Policy Template

To save you time, this template contains over 40 pre-written policy statements to get you started. They are based on compliance requirements outlined by CIS, NIST, PCI and HIPAA related to best-practice management of privileged accounts.